I wish to explain why the current approach to ‘ASICBOOST’ dose not comply with our established best practices for security vulnerabilities and suggest what I consider to be an approach closer matching established industry best practices.

1. Significant deviations from the Bitcoin Security Model have been acknowledged as security vulnerabilities.

The Bitcoin Security Model assumes that every input into the Proof-of-Work function should have the same difficulty of producing a desired output.

2. General ASIC optimisation cannot be considered a Security Vulnerabilities.

Quickly being able to check inputs is not a vulnerability. However, being able to craft inputs that are significantly easier to check than alternative inputs is a vulnerability.

3. We should assign a CVE to the vulnerability exploited by ‘ASICBOOST’.

‘ASICBOOST’ is an attack on this Bitcoin’s security assumptions and should be considered an exploit of the Bitcoin Proof-of-Work Function.

For a more detailed look at ‘ASICBOOST’, please have a look at this excellent document by Jeremy Rubin:http://www.mit.edu/~jlrubin//public/pdfs/Asicboost.pdf

The Bitcoin Community should be able to track the progress of restoring the quality of the Bitcoin Proof-of-Work function to its original assumptions.

4. Work should be taken to prudently and swiftly restore Bitcoins Security Properties.

I recommend the Bitcoin Community fix this vulnerability with expediency.

Cameron.

PS:

With a soft-fork it probably is possible to completely fix this Proof-of-Work vulnerability.

(Here is my working list of things to do):

1. Include extra data in the Coinbase Transaction, such as the Witness Root.

2. Lock the Version. (Use a space in the Coinbase Transaction for signalling future upgrades).

3. Lock the lower-bits on the Timestamp: Block timestamps only need ~1minute granularity.

4. Make a deterministic ordering of transaction chains within a block. (However, I believe this option is more difficult).

Of course, if we have a hard-fork, we should consider the Proof-of-Work internal merkle structure directly.

Locking the lower bits on the timestamp will likely break existinghardware that relies on being able to roll ntime.

On Thu, May 18, 2017 at 8:44 AM, Cameron Garnham via bitcoin-dev

Post by Cameron Garnham via bitcoin-devHello Bitcoin Development Mailing List,I wish to explain why the current approach to ‘ASICBOOST’ dose not comply with our established best practices for security vulnerabilities and suggest what I consider to be an approach closer matching established industry best practices.1. Significant deviations from the Bitcoin Security Model have been acknowledged as security vulnerabilities.The Bitcoin Security Model assumes that every input into the Proof-of-Work function should have the same difficulty of producing a desired output.2. General ASIC optimisation cannot be considered a Security Vulnerabilities.Quickly being able to check inputs is not a vulnerability. However, being able to craft inputs that are significantly easier to check than alternative inputs is a vulnerability.3. We should assign a CVE to the vulnerability exploited by ‘ASICBOOST’.‘ASICBOOST’ is an attack on this Bitcoin’s security assumptions and should be considered an exploit of the Bitcoin Proof-of-Work Function.http://www.mit.edu/~jlrubin//public/pdfs/Asicboost.pdfThe Bitcoin Community should be able to track the progress of restoring the quality of the Bitcoin Proof-of-Work function to its original assumptions.4. Work should be taken to prudently and swiftly restore Bitcoins Security Properties.I recommend the Bitcoin Community fix this vulnerability with expediency.Cameron.With a soft-fork it probably is possible to completely fix this Proof-of-Work vulnerability.1. Include extra data in the Coinbase Transaction, such as the Witness Root.2. Lock the Version. (Use a space in the Coinbase Transaction for signalling future upgrades).3. Lock the lower-bits on the Timestamp: Block timestamps only need ~1minute granularity.4. Make a deterministic ordering of transaction chains within a block. (However, I believe this option is more difficult).Of course, if we have a hard-fork, we should consider the Proof-of-Work internal merkle structure directly._______________________________________________bitcoin-dev mailing listhttps://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Post by Cameron Garnham via bitcoin-dev1. Significant deviations from the Bitcoin Security Model have beenacknowledged as security vulnerabilities.The Bitcoin Security Model assumes that every input into the Proof-of-Workfunction should have the same difficulty of producing a desired output.

This isn't really that clear.

Arguably as long as the effort to find a block is proportional to the blockdifficulty parameter, then it isn't an exploit. It is just an optimisation.

A quantum computer, for example, could find a block with effortproportional to the square root of the difficulty parameter, so that wouldcount as an attack. Though in that case, the fix would likely be to tweakthe difficulty parameter update calculation.

A better definition would be something like "when performing work, eachhash should be independent".

Am I correct that this suggest is that you think it is an optimisation to find some nonces having lower difficulty than other nonces?

I would agree with you if this was limited to a dedicated nonce area of the Bitcoin System.

However, in the case of Bitcoin it is a layer violation that the PoW function difficulty could be affected by the choice the transaction ordering, or the content of the Coinbase Transaction, etc. Possibly giving unnatural and unintended incentives to other parts of the Bitcoin System.

I can see two issues at play here:

1. The choice of input, outside of the dedicated nonce area, fed the PoW function should not change itâs difficulty to evaluate.2. Every PoW function execution should be independent.

I think that both of these are security assumptions of the Bitcoin PoW function.

I consider ASICBOOST as an attack upon both accounts.

Cameron.

Post by Cameron Garnham via bitcoin-dev1. Significant deviations from the Bitcoin Security Model have been acknowledged as security vulnerabilities.The Bitcoin Security Model assumes that every input into the Proof-of-Work function should have the same difficulty of producing a desired output.This isn't really that clear.Arguably as long as the effort to find a block is proportional to the block difficulty parameter, then it isn't an exploit. It is just an optimisation.A quantum computer, for example, could find a block with effort proportional to the square root of the difficulty parameter, so that would count as an attack. Though in that case, the fix would likely be to tweak the difficulty parameter update calculation.A better definition would be something like "when performing work, each hash should be independent".ASICBOOST does multiple checks in parallel, so would violate that.

Post by Cameron Garnham via bitcoin-dev3. We should assign a CVE to the vulnerability exploited by ‘ASICBOOST’.‘ASICBOOST’ is an attack on this Bitcoin’s security assumptions andshould be considered an exploit of the Bitcoin Proof-of-WorkFunction.

One principled way to proceed would be to fault not the exploit, butthe protocol design.

Bits in the block header have been discovered which could be used fordual meanings, and at least one meaning does not preserve theincentive balances intended and assumed by others. This unexpectedlycreates an incentive to block protocol improvements. The protocolmust be repaired.

In this view, which focuses on covert-ASICBOOST, how work is done isup to the implementation. But if the hashing work specified possiblycould gain from blocking development work, then we have avulnerability.

One principled way to proceed would be to fault not the exploit, butthe protocol design.

Bits in the block header have been discovered which could be used fordual meanings, and at least one meaning does not preserve theincentive balances intended and assumed by others. This unexpectedlycreates an incentive to block protocol improvements. The protocolmust be repaired.

In this view, which focuses on covert-ASICBOOST, how work is done isup to the implementation. But if the hashing work specified possiblycould gain from blocking development work, then we have avulnerability.